Codebase list openssl / c5e8bd1
Test mac-then-encrypt Verify that the encrypt-then-mac negotiation is handled correctly. Additionally, when compiled with no-asm, this test ensures coverage for the constant-time MAC copying code in ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as well but it's nevertheless better to have an explicit handshake test for mac-then-encrypt. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit b3618f44a7b8504bfb0a64e8a33e6b8e56d4d516) Emilia Kasper authored 7 years ago Richard Levitte committed 6 years ago
5 changed file(s) with 249 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all
+2
-0
CHANGES less more
1111 *) Ignore the '-named_curve auto' value for compatibility of applications
1212 with OpenSSL 1.0.2.
1313 [Tomas Mraz <tmraz@fedoraproject.org>]
14 *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
15 [Emilia Käsper]
1416
1517 Changes between 1.1.0e and 1.1.0f [25 May 2017]
1618
+1
-0
ssl/ssl_conf.c less more
356356 SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
357357 SSL_FLAG_TBL("UnsafeLegacyRenegotiation",
358358 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
359 SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
359360 };
360361 if (value == NULL)
361362 return -3;
+1
-1
test/recipes/80-test_ssl_new.t less more
2828
2929 # We hard-code the number of tests to double-check that the globbing above
3030 # finds all files as expected.
31 plan tests => 18; # = scalar @conf_srcs
31 plan tests => 19; # = scalar @conf_srcs
3232
3333 # Some test results depend on the configuration of enabled protocols. We only
3434 # verify generated sources in the default configuration.
+156
-0
test/ssl-tests/19-mac-then-encrypt.conf less more
0 # Generated with generate_ssl_tests.pl
1
2 num_tests = 6
3
4 test-0 = 0-disable-encrypt-then-mac-server-sha
5 test-1 = 1-disable-encrypt-then-mac-client-sha
6 test-2 = 2-disable-encrypt-then-mac-both-sha
7 test-3 = 3-disable-encrypt-then-mac-server-sha2
8 test-4 = 4-disable-encrypt-then-mac-client-sha2
9 test-5 = 5-disable-encrypt-then-mac-both-sha2
10 # ===========================================================
11
12 [0-disable-encrypt-then-mac-server-sha]
13 ssl_conf = 0-disable-encrypt-then-mac-server-sha-ssl
14
15 [0-disable-encrypt-then-mac-server-sha-ssl]
16 server = 0-disable-encrypt-then-mac-server-sha-server
17 client = 0-disable-encrypt-then-mac-server-sha-client
18
19 [0-disable-encrypt-then-mac-server-sha-server]
20 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
21 CipherString = DEFAULT
22 Options = -EncryptThenMac
23 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
24
25 [0-disable-encrypt-then-mac-server-sha-client]
26 CipherString = AES128-SHA
27 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
28 VerifyMode = Peer
29
30 [test-0]
31 ExpectedResult = Success
32
33
34 # ===========================================================
35
36 [1-disable-encrypt-then-mac-client-sha]
37 ssl_conf = 1-disable-encrypt-then-mac-client-sha-ssl
38
39 [1-disable-encrypt-then-mac-client-sha-ssl]
40 server = 1-disable-encrypt-then-mac-client-sha-server
41 client = 1-disable-encrypt-then-mac-client-sha-client
42
43 [1-disable-encrypt-then-mac-client-sha-server]
44 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
45 CipherString = DEFAULT
46 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
47
48 [1-disable-encrypt-then-mac-client-sha-client]
49 CipherString = AES128-SHA
50 Options = -EncryptThenMac
51 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
52 VerifyMode = Peer
53
54 [test-1]
55 ExpectedResult = Success
56
57
58 # ===========================================================
59
60 [2-disable-encrypt-then-mac-both-sha]
61 ssl_conf = 2-disable-encrypt-then-mac-both-sha-ssl
62
63 [2-disable-encrypt-then-mac-both-sha-ssl]
64 server = 2-disable-encrypt-then-mac-both-sha-server
65 client = 2-disable-encrypt-then-mac-both-sha-client
66
67 [2-disable-encrypt-then-mac-both-sha-server]
68 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
69 CipherString = DEFAULT
70 Options = -EncryptThenMac
71 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
72
73 [2-disable-encrypt-then-mac-both-sha-client]
74 CipherString = AES128-SHA
75 Options = -EncryptThenMac
76 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
77 VerifyMode = Peer
78
79 [test-2]
80 ExpectedResult = Success
81
82
83 # ===========================================================
84
85 [3-disable-encrypt-then-mac-server-sha2]
86 ssl_conf = 3-disable-encrypt-then-mac-server-sha2-ssl
87
88 [3-disable-encrypt-then-mac-server-sha2-ssl]
89 server = 3-disable-encrypt-then-mac-server-sha2-server
90 client = 3-disable-encrypt-then-mac-server-sha2-client
91
92 [3-disable-encrypt-then-mac-server-sha2-server]
93 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
94 CipherString = DEFAULT
95 Options = -EncryptThenMac
96 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
97
98 [3-disable-encrypt-then-mac-server-sha2-client]
99 CipherString = AES128-SHA256
100 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
101 VerifyMode = Peer
102
103 [test-3]
104 ExpectedResult = Success
105
106
107 # ===========================================================
108
109 [4-disable-encrypt-then-mac-client-sha2]
110 ssl_conf = 4-disable-encrypt-then-mac-client-sha2-ssl
111
112 [4-disable-encrypt-then-mac-client-sha2-ssl]
113 server = 4-disable-encrypt-then-mac-client-sha2-server
114 client = 4-disable-encrypt-then-mac-client-sha2-client
115
116 [4-disable-encrypt-then-mac-client-sha2-server]
117 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
118 CipherString = DEFAULT
119 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
120
121 [4-disable-encrypt-then-mac-client-sha2-client]
122 CipherString = AES128-SHA256
123 Options = -EncryptThenMac
124 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
125 VerifyMode = Peer
126
127 [test-4]
128 ExpectedResult = Success
129
130
131 # ===========================================================
132
133 [5-disable-encrypt-then-mac-both-sha2]
134 ssl_conf = 5-disable-encrypt-then-mac-both-sha2-ssl
135
136 [5-disable-encrypt-then-mac-both-sha2-ssl]
137 server = 5-disable-encrypt-then-mac-both-sha2-server
138 client = 5-disable-encrypt-then-mac-both-sha2-client
139
140 [5-disable-encrypt-then-mac-both-sha2-server]
141 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
142 CipherString = DEFAULT
143 Options = -EncryptThenMac
144 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
145
146 [5-disable-encrypt-then-mac-both-sha2-client]
147 CipherString = AES128-SHA256
148 Options = -EncryptThenMac
149 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
150 VerifyMode = Peer
151
152 [test-5]
153 ExpectedResult = Success
154
155
+89
-0
test/ssl-tests/19-mac-then-encrypt.conf.in less more
0 # -*- mode: perl; -*-
1 # Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
2 #
3 # Licensed under the OpenSSL license (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
7
8
9 ## SSL test configurations
10
11 package ssltests;
12
13 our @tests = (
14 {
15 name => "disable-encrypt-then-mac-server-sha",
16 server => {
17 "Options" => "-EncryptThenMac",
18 },
19 client => {
20 "CipherString" => "AES128-SHA",
21 },
22 test => {
23 "ExpectedResult" => "Success",
24 },
25 },
26 {
27 name => "disable-encrypt-then-mac-client-sha",
28 server => {
29 },
30 client => {
31 "CipherString" => "AES128-SHA",
32 "Options" => "-EncryptThenMac",
33 },
34 test => {
35 "ExpectedResult" => "Success",
36 },
37 },
38 {
39 name => "disable-encrypt-then-mac-both-sha",
40 server => {
41 "Options" => "-EncryptThenMac",
42 },
43 client => {
44 "CipherString" => "AES128-SHA",
45 "Options" => "-EncryptThenMac",
46 },
47 test => {
48 "ExpectedResult" => "Success",
49 },
50 },
51 {
52 name => "disable-encrypt-then-mac-server-sha2",
53 server => {
54 "Options" => "-EncryptThenMac",
55 },
56 client => {
57 "CipherString" => "AES128-SHA256",
58 },
59 test => {
60 "ExpectedResult" => "Success",
61 },
62 },
63 {
64 name => "disable-encrypt-then-mac-client-sha2",
65 server => {
66 },
67 client => {
68 "CipherString" => "AES128-SHA256",
69 "Options" => "-EncryptThenMac",
70 },
71 test => {
72 "ExpectedResult" => "Success",
73 },
74 },
75 {
76 name => "disable-encrypt-then-mac-both-sha2",
77 server => {
78 "Options" => "-EncryptThenMac",
79 },
80 client => {
81 "CipherString" => "AES128-SHA256",
82 "Options" => "-EncryptThenMac",
83 },
84 test => {
85 "ExpectedResult" => "Success",
86 },
87 },
88 );